symfony · thtroyer · Oct 18, 2016 · Oct 31, 2016 · Nov 9, 2016 · Nov 9, 2016
diff --git a/security/guard_authentication.rst b/security/guard_authentication.rst
@@ -164,14 +164,16 @@ This requires you to implement six methods::
     class TokenAuthenticator extends AbstractGuardAuthenticator
     {
         /**
-         * Called on every request. Return whatever credentials you want,
-         * or null to stop authentication.
+         * Called on every request. Return whatever credentials you want, which
+         * will be passed to getUser().  Returning null skips all other authentication
+         * steps.  Throwing an AuthenticationException will cause authentication to fail, 
+         * calling onAuthenticationFailure().
          */
         public function getCredentials(Request $request)
         {
             if (!$token = $request->headers->get('X-AUTH-TOKEN')) {
-                // no token? Return null and no other methods will be called
-                return;
+                // No token?  Cause authentication to fail.
+                throw new AuthenticationException();
             }
 
             // What you return here will be passed to getUser() as $credentials